Only 10% of small businesses are ready for the GDPR

FSB finds a third of small companies haven’t even begun the process of complying with regulations coming this May; experts warn HR could face rising admin burden under new regime

With less than three months to go until the General Data Protection Regulation’s (GDPR) arrival on 25 May 2018, the vast majority (more than 90%) of UK small businesses are not yet complying with its requirements, according to a new survey from the Federation of Small Businesses (FSB).

One-third (33%) of the small firms surveyed by the FSB said they had not yet begun their journey to compliance. Just 8% said their preparations for GDPR were complete.

Sectors that are least prepared for the GDPR included accommodation and food (53% have not yet started GDPR preparations), arts and entertainment (52%), and wholesale and retail (41%).

“The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle,” said Mike Cherry, national chairman of the FSB. “It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch-up.”

Nearly two-thirds of small businesses said they use employee data – the third-largest category of personal data that they use, behind customer and supplier data.

“The GDPR covers all personal data an organisation holds – including information about its workers, employees or volunteers,” said Mark Fielding, information security officer at CIPHR. “It’s vital HR teams have a robust process in place for keeping information up to date, and deleting personal data that is no longer required.”

Meanwhile, a separate report by database software firm Senzing has estimated that European firms could expect to receive an average of 89 separate subject access requests (SARs) per month under the GDPR. It estimates that each request will mean searching an average of 23 databases for five minutes each – meaning the total time spent satisfying SARs could reach 172 hours a month, which equates to one full-time employee.

“In the absence of a technological solutions, business will need to hire in some cases many employees on a full-time basis just to handle the volume of data enquiries,” said Jeff Jonas, Senzing’s CEO.

Currently, any individual has the right to request data that an organisation holds about them via an SAR – including employment data – but each request costs £10. Under the GDPR, requests will be free and organisations must supply the information in just 30 days, down from 40 days.

The change presents a dual challenge for HR; ensuring that the wider organisation’s workforce has sufficient capacity to comply with SARs, and also making sure that the function itself is able to satisfy SARs related specifically to employment information.

“HR departments that hold employee data in disparate systems and spreadsheets will find it hard to comply quickly with SARs,” says Fielding. “Opting to store worker data in a single, secure people management system will enable HR teams to comply with such requests more easily.”